在 Azure Active Directory B2C 中使用自定义策略配置会话行为Configure session behavior using custom policies in Azure Active Directory B2C

使用 Azure Active Directory B2C (Azure AD B2C) 中的单一登录 (SSO) 会话管理,管理员可在用户已通过身份验证之后控制与用户的交互。Single sign-on (SSO) session management in Azure Active Directory B2C (Azure AD B2C) enables an administrator to control interaction with a user after the user has already authenticated. 例如,管理员可以控制是否显示标识提供者选择,或是否需要再次输入帐户详细信息。For example, the administrator can control whether the selection of identity providers is displayed, or whether account details need to be entered again. 本文介绍如何配置 Azure AD B2C SSO 的设置。This article describes how to configure the SSO settings for Azure AD B2C.

会话行为属性Session behavior properties

可使用以下属性来管理 Web 应用程序会话:You can use the following properties to manage web application sessions:

  • Web 应用会话生存期(分钟) - 身份验证成功后,存储在用户浏览器上的 Azure AD B2C 会话 Cookie 的生存期。Web app session lifetime (minutes) - The lifetime of Azure AD B2C's session cookie stored on the user's browser upon successful authentication.
    • 默认值 = 86400 秒(1440 分钟)。Default = 86400 seconds (1440 minutes).
    • 最小值(含)= 900 秒(15 分钟)。Minimum (inclusive) = 900 seconds (15 minutes).
    • 最大值(含)= 86400 秒(1440 分钟)。Maximum (inclusive) = 86400 seconds (1440 minutes).
  • Web 应用会话超时 - 会话到期类型:“滚动”或“绝对” 。Web app session timeout - The session expiry type, Rolling, or Absolute.
  • 单一登录配置 - Azure AD B2C 租户中跨多个应用和用户流的单一登录 (SSO) 行为的会话范围Single sign-on configuration - The session scope of the single sign-on (SSO) behavior across multiple apps and user flows in your Azure AD B2C tenant.

配置属性Configure the properties

若要更改会话行为和 SSO 配置,需要在 RelyingParty 元素内添加 UserJourneyBehaviors 元素。To change your session behavior and SSO configurations, you add a UserJourneyBehaviors element inside of the RelyingParty element. UserJourneyBehaviors 元素必须紧跟在 DefaultUserJourney 之后。The UserJourneyBehaviors element must immediately follow the DefaultUserJourney. UserJourneyBehavors 元素应当如以下示例所示:Your UserJourneyBehavors element should look like this example:

<UserJourneyBehaviors>
   <SingleSignOn Scope="Application" />
   <SessionExpiryType>Absolute</SessionExpiryType>
   <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>

单一登录Single sign-out

配置应用程序Configure the applications

将用户重定向到 Azure AD B2C 注销终结点(适用于 OAuth2 和 SAML 协议)时,Azure AD B2C 将从浏览器中清除该用户的会话。When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. 若要允许单一注销,请在 Azure 门户中设置应用程序的 LogoutUrlTo allow Single sign-out, set the LogoutUrl of the application from the Azure portal:

  1. 导航到 Azure 门户Navigate to the Azure portal.
  2. 通过单击页面右上角的帐户选择 Azure AD B2C 目录。Choose your Azure AD B2C directory by clicking your account in the top right corner of the page.
  3. 在左侧菜单中,依次选择“Azure AD B2C”、“应用注册”、你的应用程序。In the left menu, choose Azure AD B2C, select App registrations, and then select your application.
  4. 选择“设置”,接着选择“属性”,然后找到“注销 URL”文本框。Select Settings, select Properties, and then find the Logout URL text box.

配置令牌颁发者Configure the token issuer

若要支持单一注销,JWT 和 SAML 的令牌颁发者技术配置文件必须指定以下内容:To support single sign-out, the token issuer technical profiles for both JWT and SAML must specify:

  • 协议名称,例如 <Protocol Name="OpenIdConnect" />The protocol name, such as <Protocol Name="OpenIdConnect" />
  • 对会话技术配置文件的引用,例如 UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />The reference to the session technical profile, such as UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />.

下面的示例演示了单一注销的 JWT 和 SAML 令牌颁发者:The following example illustrates the JWT and SAML token issuers with single sign-out:

<ClaimsProvider>
  <DisplayName>Local Account SignIn</DisplayName>
  <TechnicalProfiles>
    <!-- JWT Token Issuer -->
    <TechnicalProfile Id="JwtIssuer">
      <DisplayName>JWT token Issuer</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      ...    
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-OAuth-issuer" />
    </TechnicalProfile>

    <!-- Session management technical profile for OIDC based tokens -->
    <TechnicalProfile Id="SM-OAuth-issuer">
      <DisplayName>Session Management Provider</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </TechnicalProfile>

    <!--SAML token issuer-->
    <TechnicalProfile Id="Saml2AssertionIssuer">
      <DisplayName>SAML token issuer</DisplayName>
      <Protocol Name="SAML2" />
      <OutputTokenFormat>SAML2</OutputTokenFormat>
      ...
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
    </TechnicalProfile>

    <!-- Session management technical profile for SAML based tokens -->
    <TechnicalProfile Id="SM-Saml-issuer">
      <DisplayName>Session Management Provider</DisplayName>
      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

后续步骤Next steps